{"id":60043,"date":"2026-01-22T05:14:14","date_gmt":"2026-01-22T05:14:14","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=144888"},"modified":"2026-01-22T05:14:14","modified_gmt":"2026-01-22T05:14:14","slug":"resurgence-of-a-multi%e2%80%91stage-aitm-phishing-and-bec-campaign-abusing-sharepoint","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/resurgence-of-a-multi%e2%80%91stage-aitm-phishing-and-bec-campaign-abusing-sharepoint\/","title":{"rendered":"Resurgence of a multi\u2011stage AiTM phishing and BEC campaign abusing SharePoint\u00a0"},"content":{"rendered":"

Microsoft Defender Researchers uncovered a multi\u2011stage adversary\u2011in\u2011the\u2011middle (AiTM) phishing and business email compromise (BEC) campaign targeting multiple organizations in the energy sector, resulting in the compromise of various user accounts. The campaign abused SharePoint file\u2011sharing services to deliver phishing payloads and relied on inbox rule creation to maintain persistence and evade user awareness. The attack transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations.<\/p>\n

Following the initial compromise, the attackers leveraged trusted internal identities from the target to conduct large\u2011scale intra\u2011organizational and external phishing, significantly expanding the scope of the campaign. Defender detections surfaced the activity to all affected organizations.<\/p>\n

This attack demonstrates the operational complexity of AiTM campaigns and the need for remediation beyond standard identity compromise responses. Password resets alone are insufficient. Impacted organizations in the energy sector must additionally revoke active session cookies and remove attacker-created inbox rules used to evade detection.<\/p>\n

Attack chain: AiTM phishing attack<\/strong><\/h2>\n
<\/figure>\n

Stage 1: Initial access via trusted vendor compromise<\/strong><\/p>\n

Analysis of the initial access vector indicates that the campaign leveraged a phishing email sent from an email address belonging to a trusted organization, likely compromised before the operation began. The lure employed a SharePoint URL requiring user authentication and used subject\u2011line mimicry consistent with legitimate SharePoint document\u2011sharing workflows to increase credibility.<\/p>\n

Threat actors continue to leverage trusted cloud collaboration platforms particularly Microsoft SharePoint and OneDrive due to their ubiquity in enterprise environments. These services offer built\u2011in legitimacy, flexible file\u2011hosting capabilities, and authentication flows that adversaries can repurpose to obscure malicious intent. This widespread familiarity enables attackers to deliver phishing links and hosted payloads that frequently evade traditional email\u2011centric detection mechanisms.<\/p>\n

Stage 2: Malicious URL clicks<\/strong><\/p>\n

Threat actors often abuse legitimate services and brands to avoid detection. In this scenario, we observed that the attacker leveraged the SharePoint service for the phishing campaign. While threat actors may attempt to abuse widely trusted platforms, Microsoft continuously invests in safeguards, detections, and abuse prevention to limit misuse of our services and to rapidly detect and disrupt malicious activity<\/p>\n

Stage 3: AiTM attack<\/strong><\/p>\n

Access to the URL redirected users to a credential prompt, but visibility into the attack flow did not extend beyond the landing page.<\/p>\n

<\/figure>\n

Stage 4: Inbox rule creation<\/strong><\/p>\n

The attacker later signed in with another IP address and created an Inbox rule with parameters to delete all incoming emails on the user\u2019s mailbox and marked all the emails as read.<\/p>\n

Stage 5: Phishing campaign<\/strong><\/p>\n

Followed by Inbox rule creation, the attacker initiated a large-scale phishing campaign involving more than 600 emails with another phishing URL. The emails were sent to the compromised user\u2019s contacts, both within and outside of the organization, as well as distribution lists. The recipients were identified based on the recent email threads in the compromised user\u2019s inbox.<\/p>\n

Stage 6: BEC tactics<\/strong><\/p>\n

The attacker then monitored the victim user\u2019s mailbox for undelivered and out of office emails and deleted them from the Archive folder. The attacker read the emails from the recipients who raised questions regarding the authenticity of the phishing email and responded, possibly to falsely confirm that the email is legitimate. The emails and responses were then deleted from the mailbox. These techniques are common in any BEC attacks and are intended to keep the victim unaware of the attacker\u2019s operations, thus helping in persistence.<\/p>\n

Stage 7: Accounts compromise<\/strong><\/p>\n

The recipients of the phishing emails from within the organization who clicked on the malicious URL were also targeted by another AiTM attack. Microsoft Defender Experts identified all compromised users based on the landing IP and the sign-in IP patterns. <\/p>\n

Mitigation and protection guidance<\/h2>\n

Microsoft Defender XDR detects suspicious activities related to AiTM phishing attacks and their follow-on activities, such as sign-in attempts on multiple accounts and creation of malicious rules on compromised accounts. To further protect themselves from similar attacks, organizations should also consider complementing MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals like user or group membership, IP location information, and device status, among others.<\/p>\n

Defender Experts also initiated rapid response with Microsoft Defender XDR to contain the attack including:<\/p>\n